TOPIC understanding VoIP vulnerabilities

Transcription

1 How Fragile is your VoIP Implementation? For a long time, telecommunications networks and telephony services have been a part of the critical information infrastructure. They have always had high requirements for availability and Quality of Service (QoS). The advent of VoIP (Voice over Internet Protocol), also called IPTel (IP Telephony), has brought telephony services to new networks. VoIP provides the same range of services over different transport protocols. From a reliability perspective, VoIP is no different from legacy telephony infrastructure. In VoIP, telephony services are provided specifically over the IP protocol family. VoIP in itself does not imply in any way that the public and open Internet should be used as the transport network. Using IP networks does not automatically mean using the Internet. The most common method of implementing enterprise VoIP is through private dedicated lines as opposed to using the public Internet to route the calls. This is partially because of the risks involved with the open and hostile Internet. Data and Telephony Double the Threat Looking at threats, attacks and vulnerabilities for VoIP, we need to consider it both as a telephony service and IP data service. Both of these domains come with their own sets of threats, attacks and vulnerabilities. A VoIP service can be taken down by approaching it from a VoIP protocol standpoint, but it can also be attacked as any other IP network. The attack methods range from flooding the systems and networks with traffic to crafting malicious packets that may compromise the target systems and take them down. Threat analysis and related vulnerability analysis will always reveal the true business risks involved with VoIP. If there are no vulnerabilities, there is zero risk of threats becoming realized. If vulnerabilities can be assumed to exist, the system can be attacked by using attack scripts, viruses and worms. In real life every single piece of software will always have bugs and vulnerabilities. The number of bugs can be reduced dramatically through rigorous testing and verification. Often this is the only way to control the total business risks associated with VoIP. Most Vulnerabilities Caused by Implementation Mistakes According to RFC3027, a vulnerability can be defined as: "A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy." Vulnerabilities can be introduced during various phases in the software lifecycle: requirements capture, design, implementation, or configuration. Statistics from NIST (National Institute of Standards and Technology) show that more than 70% of all vulnerabilities discovered are caused by implementation mistakes, i.e. bugs introduced during actual coding. Bad design choices or insecure default configurations only amount to 20-25% of all reported vulnerabilities. 01

2 Vulnerability Type Input validation error Year # of Vulns % of Total 68% 66% 58% 54% 50% 49% Source NIST, an Agency of the U.S. Commerce Department Open Networks, Hostile Traffic The greatest difference between traditional telephony and Next Generation Networks (NGN), where everything is built on top of Internet Protocol (IP), is the openness of the system. In traditional systems an uptime of 'five nines' (99.999% uptime) could be measured by simulating traffic over an extensive period of time. The traffic used for these tests was for the most part normal. Little to none anomalous or malicious traffic was used. In the Internet, no-one guarantees that the working environment contains only "normal" traffic. In fact, it is a certainty that there will be malicious attackers sending hostile traffic flows and corrupted packets in an attempt to disrupt services. Securing a Next Generation Network (NGN) that uses the open, public Internet requires finding and fixing all of the reliability flaws in all of the used software components. An attacker needs to find only one reliability or security flaw in order to take down the entire service. Service Disruption Equals Loss The operation of any service can be disrupted, denied or altered in such as way that the original service is not available any more. The service disruption category of threats and vulnerabilities is one of the biggest reasons for revenue loss through downtime and maintenance costs. The list of services that can be threatened will be under constant change as new services are introduced to IP telephony. Example telephony services today include: making and receiving calls, using voice mail, caller ID, international calling, telephone numbering, call waiting, call transfer, location services, encryption, lawful intercept, and emergency services. All of these can be disrupted by simple Denial of Service (DoS) attacks. Attacks Brute Force or Intelligent and Targeted? DoS situations arise from performance problems and software quality issues. The two main categories for DoS attacks are: 1. Load, stress and performance-based attacks 2. Robustness, torture testing, fuzzing, protocol-based attacks In the first category, a DoS attack is performed by sending an excessive amount of network traffic to a target system. The focus is on rendering a particular network element unavailable by bombarding the interfaces that are open to the network. The second category of DoS attacks employs anomalous messages where the traffic does not conform to any normal expectations. In this type of attack even a single well- 02

3 crafted packet can shut down a service. Buffer overflow attacks constitute the bestknown variant of protocol-based DoS attacks. Attacks performed with anomalous protocol packets can lead to total system compromises. In a total compromise, an attacker "owns" the system and can control, monitor and reconfigure any services and processes on behalf of the intended users of the system. An example of a total compromise is a worm attack where a worm runs inside the victim's computer and impersonates the victim when creating new communication sessions. Defending VoIP with Proactive, Targeted Testing Load-based DoS attacks are detected easily and can be mitigated by denying traffic from the malicious parties in cooperation with service providers and law enforcement agencies. The risks for these attacks can be reduced by providing more bandwidth, distributing incoming traffic through load-balancing, and by provisioning resources carefully. Attacks done through anomalous protocol messages are much harder to prevent and mitigate. When an attack of this type occurs, it is already too late to fix the bugs in the software. The victim can only do damage control and try to minimize loss. The only way to prevent protocol-based attacks is to subject the used software to extensive negative testing even before any attackers get the chance to approach it. The robustness, security and overall quality of an implementation can be determined by bombarding it with tens of thousands of protocol messages that simulate potential malicious attacks. Systematic, automated and repeatable robustness testing enables software vendors, operators, enterprises, and end-users to verify the security and quality of their VoIP implementations already at an early stage during adoption. Many fuzzing tools on the market generate pseudo-random traffic, with little or no chance for repeatability and very poor test coverage. Robustness testing with carefully designed and prepackaged test suites can find flaws more efficiently and assuredly. This type of testing also fits extremely well into existing test automation systems. Protecting Against DoS Attacks LOAD-BASED ATTACKS MITIGATION through partitioning and load-balancing CODENOMICON DEFENSE Interface hardened through proactive robustness testing Critical VoIP System PROTOCOL-BASED ATTACKS 03

5 Conclusion VoIP networks must meet the same rigorous demands for availability as traditional telecommunications networks. Since open environments make VoIP systems more susceptible to protocol-based DoS attacks, proactive and upfront testing is essential for ensuring security, reliability and robustness. New attack techniques are being developed constantly. This means that attacks are becoming increasingly harder to mitigate en route. Firewalls, IDS systems and other stopgap solutions can never stop all attacks. The most cost-effective solution is to harden the implementations themselves by means of automated negative testing. The best defense against VoIP vulnerabilities is a great, proactive offense. You must test your software before someone else does. For More Information For more information on protecting your VoIP implementations or to learn more about the broad set of robustness and security testing tools offered by Codenomicon please visit our website or contact one of our sales representatives. 05

Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based

A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in

IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

Cisco ASA 5500 Series Unified Communications Deployments Overview Businesses of all sizes are migrating to IP telephony in order to take full advantage of unified communications. Cisco Unified Communications

FDIC Division of Supervision and Consumer Protection Voice over Internet Protocol (VoIP) Informational Supplement June 2005 1 Summary In an attempt to control expenses, consumers and businesses are considering

An Introduction to VoIP Protocols www.netqos.com Voice over IP (VoIP) offers the vision of a converged network carrying multiple types of traffic (voice, video, and data, to name a few). To carry out this

A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

TCP/IP Networking Course Code Duration Price GK9025 5 Day Course Available on request Course Description TCP/IP is the globally accepted group of protocols at the core of the Internet and organizational

SS7 & LTE Stack Attack Ankit Gupta Black Hat USA 2013 akg0x11@gmail.com Introduction With the evolution of IP network, Telecom Industries are using it as their core mode of communication for their network

VOICE OVER IP VIEWPOINT 01/2006 17 JANUARY 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the

Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider

HOSTED VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

Local Area Networks: Internetworking Chapter 81 Learning Objectives List the reasons for interconnecting multiple local area networks and interconnecting local area networks to wide area networks. Identify

WHITEPAPER The Challenge of Maximizing Service Availability and Security Spending on security defense-in-depth has not slowed the growth rate of vulnerabilities and exploits. Protocol-based attacks and

Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

How to Choose the Right Industrial Firewall: The Top 7 Considerations Li Peng Product Manager The right industrial firewall can strengthen the safety and reliability of control systems Central to industrial

ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

Overview of Voice Over Internet Protocol Purva R. Rajkotia, Samsung Electronics November 4,2004 Overview of Voice Over Internet Protocol Presentation Outline History of VoIP What is VoIP? Components of